News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

Fun with NtYieldExecution

Started by Magnum, March 17, 2013, 08:08:48 AM

Previous topic - Next topic

Magnum


;  NtYieldExecution.asm
;  "Make them work a little."
;  Ollydbg, Windbg, and IDA Pro aren't aware of it, yet...:-)
;
;  SiegeWorks 2013 - Present A.P.K.
include \masm32\include\masm32rt.inc   

.CONST


.data
   
WaterMark   db  "SiegeWorks 2013 - Present ð__ð" ; Alt 240 char
%Date         db  " &@Date " ; Compile date
%time          db  " &@Time"  ; and time

startInfo     STARTUPINFO <>         
processInfo   PROCESS_INFORMATION <> 

caption  db "Fine",0
text     db "Hi!",0
text1    db "Bye!",0
Invalid  dw 0

.code

start:

assume fs:nothing  ;set up an SEH just in case 
push _seh
push fs:[0]
mov fs:[0],esp

invoke MessageBox,NULL,addr text,addr caption,MB_OK
call @call

@call:

pop eax          ; delta offset
add eax,0Eh   ; add eax with the no. of bytes (14 decimal) that will land at the actual code.

jmp eax          ; jump to the actual code to be executed.

dd 00E95564h  ;garbage bytes
dd 0E9830048h ;

cmp eax,1  ;actual code
jne next
jmp goon

next:

invoke MessageBox,NULL,addr text1,addr caption,MB_OK

goon:

;Begin a new process with an invalid name for the process name
INVOKE CreateProcess,addr Invalid,NULL,NULL,NULL,TRUE,00000008h,NULL,NULL,addr startInfo,addr processInfo
 
; Undocumented function NtYieldExecution
; Neither Ollydbg nor IDA know what this is

xor edx,edx   ;
MOV EAX,116h  ; Move "NtYieldExecution" Syscall number into EAX
int 2eh       ; Yield Execution to running process using Interrupt

.IF EAX == 0 ; not under debugger

.else
 
fn MessageBox,0,str$(eax),"BUSTED",MB_OK

.endif

invoke ExitProcess,0

_seh:

pop fs:[0]
mov ebx,[esp+4]
mov esp,ebx
jmp next

End_Mark db "Last byte in program."

end     start

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

qWord

what is so funny on NtYieldExecution aka SwitchToThread()?
MREAL macros - when you need floating point arithmetic while assembling!

Magnum

Thanks Qword, 2 ways to do the same thing.

Know of other functions with multiple ways ?

Andy
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

Vortex

Hi Magnum,

Sorry if I could not understand but what's the reason of preferring an undocumentad native API function?

Magnum

I wasn't aware until Qword brought to my attention.

I prefer the documented functions.

Andy
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

Magnum

I can't get SwitchToThread to work as anti RE measure like the undocumented method.

A calculator program overwrote my win.ini and sys.ini.
It should have appended it instead.

Are those used anymore ?

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

Vortex

Hi Magnum,

win.ini and system.ini are used for 16-bit support.

dedndave

they are loaded at boot-time
you can bring up MsConfig.exe and selectively alter them

Magnum

If everythings still works in cmd.exe, I won't worry about restoring them.

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

dedndave

i am running XP MCE2005, SP3
mine look like this - pretty standard stuff, i think

win.ini
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
MAPIX=1
OLEMessaging=1
CMC=1
CMCDLLNAME=mapi.dll
CMCDLLNAME32=MAPI32.DLL
MAPIXVER=1.0.0.1
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo
asx=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
mp2=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo
wm=MPEGVideo
wma=MPEGVideo
wmv=MPEGVideo
wmx=MPEGVideo
wpl=MPEGVideo
wvx=MPEGVideo
m2v=MPEGVideo
mod=MPEGVideo
[SciCalc]
layout=0


system.ini
; for 16-bit app support
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON